b"                \xc2\xa0\n\n                \xc2\xa0\n\n                \xc2\xa0   U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n\n                \xc2\xa0   OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n                \xc2\xa0\n\n                \xc2\xa0\n\n\n\n                    EPA\xe2\x80\x99s Office of\n                    Environmental Information\n                    Should Improve Ariel Rios\n                    and Potomac Yard\n                    Computer Room Security\n                    Controls\n                    Report No. 12-P-0879               September 26, 2012\n\n\n\n\nScan this code to\nlearn more about\nthe EPA OIG.\n\x0cReport Contributors:\t                              Rudolph M. Brevard\n                                                   Michael Goode\n                                                   Sabrena Stewart\n\n\n\n\nAbbreviations\n\nEPA           U.S. Environmental Protection Agency\nIT            Information technology\nOEI           Office of Environmental Information\nOIG           Office of Inspector General\nNIST          National Institute of Standards and Technology\nSP            Special Publication\n\n\n\n\n  Hotline\n  To report fraud, waste, or abuse, contact us through one of the following methods:\n\n  e-mail:    OIG_Hotline@epa.gov                      write:    EPA Inspector General Hotline\n  phone:     1-888-546-8740                                     1200 Pennsylvania Avenue NW\n  fax:       202-566-2599                                       Mailcode 2431T\n  online:    http://www.epa.gov/oig/hotline.htm                 Washington, DC 20460\n\x0c                        U.S. Environmental Protection Agency \t                                              12-P-0879\n                                                                                                    September 26, 2012\n                        Office of Inspector General\n\n\n                        At a Glance\nWhy We Did This Review              EPA\xe2\x80\x99s Office of Environmental Information\nThe U.S. Environmental              Should Improve Ariel Rios and Potomac Yard\nProtection Agency (EPA) Office      Computer Room Security Controls\nof Inspector General (OIG)\nconducted this audit to assess\nthe security posture and             What We Found\nin-place environmental controls\nof the computer rooms in the        The security posture and in-place environmental control review of the computer\nEPA Ariel Rios and Potomac          rooms in the Ariel Rios and Potomac Yard buildings revealed numerous security\nYard buildings in Washington,       and environmental control deficiencies. These control deficiencies greatly reduce\nDC, and Arlington, Virginia,        the ability of the Office of Environmental Information (OEI) to safeguard critical\nrespectively. This audit was        information technology assets and associated data from the risk of damage\nconducted in support of the         and/or loss.\naudit of EPA\xe2\x80\x99s directory service\nsystem authentication and            Recommendations/Planned Agency Corrective Actions\nauthorization servers.\n                                    We recommended in our draft report that OEI remediate physical and\n                                    environmental control deficiencies. Following the issuance of the draft report, OEI\nThis report addresses the           provided a corrective action plan with milestone dates to address agreed-upon\nfollowing EPA Goal or               recommendations. In its response, OEI agreed with recommendations 1 and 2,\nCross-Cutting Strategy:             and stated that it had completed corrective actions for recommendation 1. OEI\n                                    did not agree with recommendations 3 and 4 because it asserts that the Office of\n\xef\x82\xb7 Strengthening EPA\xe2\x80\x99s               Administration and Resources Management bears responsibility for remediation\n  workforce and capabilities.       for these recommendations. For recommendation 5, OEI did not agree because it\n                                    stated that it is already monitoring environmental variable information which\n                                    would alert it to the presence of a computer room water leakage. During the\n                                    audit, the OIG requested policies and procedures that address limiting water\n                                    damage to IT assets. OEI did not provide any documentation in response to this\n                                    request and the OIG concluded that such policies did not exist.\n\n                                    We consider recommendation 1 closed with agreed-upon corrective actions\n                                    complete. Recommendation 2 is open with agreed-upon corrective actions\n                                    pending. The OIG believes that OEI bears the responsibility for addressing\n                                    recommendations 3, 4, and 5 because it is responsible for managing IT assets in\n                                    the Ariel Rios and Potomac Yard computer rooms. We consider\nFor further information, contact\nour Office of Congressional and     recommendations 3, 4, and 5 unresolved with resolution efforts in progress.\nPublic Affairs at (202) 566-2391.\n\nThe full report is at:\nwww.epa.gov/oig/reports/2012/\n20120926-12-P-0879.pdf\n\x0c                       UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                    WASHINGTON, D.C. 20460\n\n\n                                                                                THE INSPECTOR GENERAL\n\n\n\n\n                                       September 26, 2012\n\nMEMORANDUM\n\nSUBJECT:\t EPA\xe2\x80\x99s Office of Environmental Information Should Improve Ariel Rios and\n          Potomac Yard Computer Room Security Controls\n          Report No. 12-P-0879\n\n\nFROM:\t         Arthur A. Elkins, Jr.\n\nTO:\t           Vaughn Noga\n               Director, Office of Technology Operations and Planning\n               Office of Environmental Information\n\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the\nproblems the OIG has identified and corrective actions the OIG recommends. This report\nrepresents the opinion of the OIG and does not necessarily represent the final EPA position.\nFinal determinations on matters in this report will be made by EPA managers in accordance with\nestablished audit resolution procedures.\n\nAction Required\n\nThe Office of Environmental Information (OEI) agreed with recommendations 1and 2 and\nprovided corrective action plans. OEI did not agree with recommendations 3, 4, and 5. These\nrecommendations remain unresolved with resolution efforts in progress. Therefore, in\naccordance with EPA Manual 2750, you are required to provide a written response to this report\nwithin 90 calendar days. You should include a corrective action plan for recommendations 3, 4,\nand 5, including milestone dates. Your response will be posted on the OIG\xe2\x80\x99s public website,\nalong with our memorandum commenting on your response. Your response should be provided\nas an Adobe PDF file that complies with the accessibility requirements of Section 508 of the\nRehabilitation Act of 1973, as amended. The final response should not contain data that you do\nnot want to be released to the public; if your response contains such data, you should identify the\ndata for redaction or removal. We have no objections to the further release of this report to the\npublic. We will post this report to our website at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact Rudolph M. Brevard,\nDirector, Information Resources Management Assessments, at (202) 566-0893 or\n\x0cbrevard.rudy@epa.gov; or Michael Goode, Project Manager, at (202) 566-0354 or\ngoode.michael@epa.gov.\n\x0c EPA\xe2\x80\x99s Office of Environmental Information                                                                                     12-P-0879\nShould Improve Ariel Rios and Potomac Yard\nComputer Room Security Controls\n\n\n                                      Table of Contents \n\n   Purpose........................................................................................................................     1\n\n\n   Background .................................................................................................................        1\n\n\n   Scope and Methodology.............................................................................................                  1\n\n\n   Findings .......................................................................................................................    1\n\n\n           Lack of Monitoring, Oversight, and Procedures Increases Risk of \n\n              Unauthorized Computer Room Access ...........................................................                            2\n\n           Uninterruptible Power Supply Lacks Ability to Automatically \n\n              Shut Down Critical IT Assets ...........................................................................                 3\n\n           Lack of Key Environmental Controls Increases Risk of \n\n              Water Damage to Critical IT Assets ................................................................                      3\n\n\n   Recommendations ......................................................................................................              4\n\n\n   Agency Comments and OIG Evaluation ...................................................................                              5\n\n\n   Status of Recommendations and Potential Monetary Benefits..............................                                             6\n\n\n\n\nAppendices\n   A       Agency Response to Draft Report....................................................................                         7\n\n\n   B       Distribution .........................................................................................................     11\n\n\x0cPurpose\n            The U.S. Environmental Protection Agency (EPA) Office of Inspector General\n            (OIG) conducted this audit to assess the security posture and in-place\n            environmental controls of EPA\xe2\x80\x99s Office of Environmental Information (OEI)\n            Ariel Rios computer room in Washington, DC, and Potomac Yard computer room\n            in Arlington, Virginia. This audit was conducted in support of the audit of EPA\xe2\x80\x99s\n            directory service system authentication and authorization servers\n\nBackground\n\n             OEI supports the Agency\xe2\x80\x99s mission to protect public health and the environment\n             by integrating quality environmental information to make it useful for informing\n             decisions, improving management, documenting performance, and measuring\n             success. The Ariel Rios and Potomac Yard computer rooms house information\n             technology (IT) assets that are used for Agency user authentication and\n             authorization, Internet connectivity, and data storage.\n\nScope and Methodology\n             We performed this audit from January 2011 through May 2012 in accordance\n             with generally accepted government auditing standards. Those standards require\n             that we plan and perform the audit to obtain sufficient and appropriate evidence\n             to provide a reasonable basis for our findings and conclusions based on our audit\n             objectives. We believe that the evidence obtained provides a reasonable basis for\n             our findings and conclusions based on our audit objectives.\n\n             We conducted the on-site review of the computer room security posture and in-\n             place environmental controls at the Ariel Rios and Potomac Yard computer\n             rooms in Washington, DC, and Arlington, Virginia, respectively, in April 2011.\n             The criteria used for the review were derived from the National Institute of\n             Standards and Technology (NIST) Special Publication (SP) 800-53,\n             Recommended Security Controls for Federal Information Systems and\n             Organizations, \xe2\x80\x9cPhysical and Environmental Protection Security\xe2\x80\x9d control family.\n             We evaluated the computer rooms through inquiry, observation, and review of\n             documentation.\n\n             We had no prior report recommendations for follow up during this audit for\n             these two specific sites.\n\nFindings\n            The Ariel Rios and Potomac Yard computer room control deficiencies greatly\n            reduce the ability of OEI to safeguard critical IT assets and associated data from\n            the risk of unauthorized access, damage, and/or loss. In particular, physical access\n            controls were not in place to monitor access to critical IT assets, and the server\n\n\n12-P-0879                                                                                    1\n\x0c            room lacked environmental controls to protect these assets from potential loss or\n            damage due to power outages and water leaks. NIST prescribes the selection and\n            implementation of appropriate security controls for an information system, which\n            represent the management, operational, and technical safeguards or\n            countermeasures employed to protect the confidentiality, integrity, and\n            availability of the system and its information. If OEI does not correct identified\n            weaknesses, it faces potential disruption of its operations.\n\n            Lack of Monitoring, Oversight, and Procedures Increases Risk of\n            Unauthorized Computer Room Access\n\n            The OIG was unable to determine if OEI has any policies and procedures in place\n            to ensure that computer room access is only granted to authorized employees. The\n            OIG was also unable to determine if OEI maintains a listing of employees\n            authorized to access the computer room. OEI indicated that they randomly review\n            the authorized employee access list, but the OIG was not provided with any\n            documentation to support that assertion. OEI's Ariel Rios and Potomac Yard\n            computer room visitor logs had not been used or reviewed. This lack of computer\n            room access controls increases the risk that unauthorized individuals may gain\n            entry into the computer room and damage critical IT assets.\n\n            NIST SP 800-53 states that an organization must do the following:\n\n               \xef\x82\xb7   Develop, disseminate, and review/update a formal, documented\n                   physical and environmental protection policy that addresses\n                   purpose, scope, roles, responsibilities, management commitment,\n                   coordination among organizational entities, and compliance\n               \xef\x82\xb7   Develop and keep current a list of personnel with authorized access\n                   to the facility where the information system resides\n               \xef\x82\xb7   Review and approve the access list and authorization credentials,\n                   removing from the access list personnel no longer requiring access\n               \xef\x82\xb7   Maintain visitor access records to the facility where the\n                   information system resides\n               \xef\x82\xb7   Review visitor access records\n\n\n            OEI must establish physical access policies and procedures to ensure that access\n            to facilities containing critical IT assets is documented and regularly reviewed by\n            management. OEI must also utilize and review visitor access logs for computer\n            rooms. These steps are essential to mitigating the risk of damage to critical IT\n            assets.\n\n\n\n\n12-P-0879                                                                                    2\n\x0c            Uninterruptible Power Supply Lacks Ability to Automatically Shut\n            Down Critical IT Assets\n\n            In emergency situations, OEI has only a limited ability to shut down the Ariel\n            Rios and Potomac Yard computer room IT assets in an orderly fashion. The\n            possibility of an orderly shutdown is hindered by the following conditions:\n\n               \xef\x82\xb7   Lack of generator to provide emergency power\n               \xef\x82\xb7   Lack of around-the-clock staff presence in computer rooms\n               \xef\x82\xb7   Short duration of existing uninterruptible power supply to provide\n                   backup power\n               \xef\x82\xb7   Lack of uninterruptible power supply capable of automatically\n                   shutting down IT assets\n\n            NIST SP 800-53 states that an organization should provide a short-term\n            uninterruptible power supply to facilitate an orderly shutdown of the information\n            system in the event of a primary power source loss.\n\n            In the Potomac Yard computer room, authorized personnel have only 1 hour and\n            30 minutes from the time power is lost to get to the computer room and manually\n            shut down the IT equipment; in the Ariel Rios computer room, we were told that\n            the length of time is only 3 minutes. These short periods during which backup\n            power is available, combined with the lack of dedicated around-the-clock staff\n            manning the computer rooms and the lack of an emergency generator and\n            automatic shutdown capabilities, increase the likelihood that personnel will not be\n            able to perform an orderly shutdown of IT assets in the event of a power loss.\n\n            Lack of Key Environmental Controls Increases Risk of Water Damage\n            to Critical IT Assets\n\n            Ariel Rios and Potomac Yard computer room IT assets are at risk of damage due\n            to accidental water leakage. Server cabinets containing the IT assets are located\n            directly under the computer rooms\xe2\x80\x99 overhead sprinklers, and the fire suppression\n            systems within the rooms are fully charged. Fully charged fire suppression\n            systems maintain water pressure at all times. These pipes could leak, especially at\n            points where the sprinkler heads connect to the water pipes. The computer rooms\n            also did not have compensating controls, such as leak shields, to protect these\n            assets from potential water damage.\n\n            Where there is a fully charged fire suppression system, the risk of water damage\n            from leaks may be mitigated by not placing IT assets directly under sprinkler\n            heads or pipes when possible. When it is not possible to relocate IT assets to areas\n            not directly under sprinkler heads and pipes, other compensating controls such as\n            leak shields attached to or above the cabinets should be utilized.\n\n\n\n\n12-P-0879                                                                                    3\n\x0c            The Ariel Rios and Potomac Yard computer rooms also did not have formal\n            procedures related to monitoring for water leaks in the computer room or for\n            actions to be taken in the event of a water leak. In addition, the Ariel Rios and\n            Potomac Yard computer rooms did not have master shutoff valves for the water\n            pipes running through the computer rooms or water detectors on the floor of the\n            computer rooms to alert personnel and permit them to take timely action in the\n            case of a water leak.\n\n            The U.S. Government Accountability Office Federal Information System\n            Controls Audit Manual specifies that environmental controls exist to help ensure\n            that building plumbing lines do not endanger the computer facility or, at a\n            minimum, that shutoff valves and procedures exist and are known. NIST SP\n            800-53 stipulates that an organization should protect information systems from\n            damage resulting from water leakage by providing master shutoff valves that are\n            accessible, working properly, and known to key personnel.\n\nRecommendations\n            We recommend that the Director, Office of Technology and Operations Planning,\n            Office of Environmental Information:\n\n               1.\t\t Develop and implement computer room policies and procedures that\n                    ensure that computer room access is only grant to authorized employees\n                    and that visitor access is approved, documented, and reviewed.\n\n               2.\t\t Acquire and implement an uninterruptible power supply that will\n                    automatically perform an orderly shutdown of IT assets without manual\n                    intervention in the event of a long-term loss of power.\n\n               3.\t\t Move the server racks so that they are not directly under sprinkler heads or\n                    water pipes, or, if that is not possible, install leak shields on or above the\n                    server racks directly under sprinkler heads or water pipes.\n\n               4.\t\t Install a master shutoff valve for the water pipes that flow through the\n                    computer room.\n\n               5.\t\t Develop and implement policies and procedures that address limiting\n                    water damages to IT assets in the computer room that include:\n\n                       a.\t\t 24 hours/day, 7 days/week monitoring\n                       b.\t\t Timely actions to be taken in the event of a water leak in the\n                            computer room\n\n\n\n\n12-P-0879                                                                                      4\n\x0cAgency Comments and OIG Evaluation\n\n            Following the issuance of the draft report, OEI provided a corrective action plan\n            with milestone dates to address agreed-upon recommendations. In its response,\n            OEI agreed with recommendations 1 and 2, but did not agree with\n            recommendations 3, 4, and 5. OEI did not agree with recommendations 3 and 4\n            because it asserts that the Office of Administration and Resources Management\n            bears responsibility for remediation for these recommendations. For\n            recommendation 5, OEI did not agree because it stated that it is already\n            monitoring environmental variable information which would alert it to the\n            presence of a computer room water leakage. OEI also stated that it has completed\n            corrective actions for recommendation 1.\n\n            We consider recommendation 1 closed with agreed-upon corrective actions\n            complete. Recommendation 2 is open with agreed-upon corrective actions\n            pending. The OIG believes that OEI bears the responsibility for recommendations\n            3 and 4 because it is responsible for managing IT assets in the Ariel Rios and\n            Potomac Yard computer rooms. Therefore, OEI needs to ensure that corrective\n            actions are carried out for recommendations 3 and 4. During the audit, the OIG\n            requested any policies and procedures that address limiting water damage to IT\n            assets. OEI did not provide any documentation for this request and the OIG\n            concluded that such policies did not exist. Therefore, recommendation 5 was\n            made to OEI. We consider recommendations 3, 4, and 5 unresolved with\n            resolution efforts in progress.\n\n\n\n\n12-P-0879                                                                                  5\n\x0c                                  Status of Recommendations and\n                                    Potential Monetary Benefits\n\n                                                                                                                               POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                             BENEFITS (in $000s)\n\n                                                                                                                   Planned\n    Rec.    Page                                                                                                  Completion   Claimed    Agreed-To\n    No.      No.                          Subject                          Status1        Action Official            Date      Amount      Amount\n\n     1        4     Develop and implement computer room policies             C            Director, Office of\n                    and procedures that ensure that computer room                    Technology and Operations\n                    access is only grant to authorized employees and                     Planning, Office of\n                    that visitor access is approved, documented, and                  Environmental Information\n                    reviewed.\n\n     2        4     Acquire and implement an uninterruptible power           O            Director, Office of\n                    supply that will automatically perform an orderly                Technology and Operations\n                    shutdown of IT assets without manual intervention                    Planning, Office of\n                    in the event of a long-term loss of power.                        Environmental Information\n\n     3        4     Move the server racks so that they are not directly      U            Director, Office of\n                    under sprinkler heads or water pipes, or, if that is             Technology and Operations\n                    not possible, install leak shields on or above the                   Planning, Office of\n                    server racks directly under sprinkler heads or                    Environmental Information\n                    water pipes.\n\n     4        4     Install a master shutoff valve for the water pipes       U            Director, Office of\n                    that flow through the computer room.                             Technology and Operations\n                                                                                         Planning, Office of\n                                                                                      Environmental Information\n\n     5        4     Develop and implement policies and procedures            U            Director, Office of\n                    that address limiting water damages to IT assets in              Technology and Operations\n                    the computer room that include:                                      Planning, Office of\n                                                                                      Environmental Information\n                      a. 24 hours/day, 7 days/week monitoring\n                      b. Timely actions to be taken in the event of a\n                         water leak in the computer room\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is unresolved with resolution efforts in progress\n\n\n\n\n12-P-0879                                                                                                                                         6\n\x0c                                                                                     Appendix A\n\n                   Agency Response to Draft Report\n\n                                      June 29, 2012\n\nMEMORANDUM\n\n\nSUBJECT:\t Follow-on Responses to Audit: EPA\xe2\x80\x99s Office of Environmental Information\n          Should Improve Ariel Rios and Potomac Yard Computer Room Security Controls,\n          Report Project No. OMS-FY11-0007\n\nFROM: \t        Maja Lee\n               Acting Director, Enterprise Desktop Solutions Division\n               Office of Technology Operations and Planning\n\nTHRU: \t        Vaughn Noga,\n               Director, Office of Technology Operations and Planning and\n               Chief Technology Officer\n\nTO: \t          Rudolph M. Brevard\n               Director, Information Resources Management Assessments\n               Office of the Inspector General\n\n\nThe purpose of this memorandum is to provide a response to the subject draft report and provide\nadditional clarification regarding the Office of Environmental Information\xe2\x80\x99s (OEI) security\ncontrols at the Ariel Rios and Potomac Yard Server Room facilities.\n\nOEI appreciates the OIG\xe2\x80\x99s desire to ensure EPA has adequate security controls in place.\nAttached is a detailed response to the draft report and a Corrective Action Plan for the actions\nwhich the Office of Technology Operations and Planning (OTOP) has the lead.\n\nIf you have any questions regarding this response, please contact me at 202-566-0300.\n\nAttachments\n\nCc: \t   Anne Mangiafico\n        Maja Lee\n\n\n\n\n12-P-0879                                                                                          7\n\x0c                              Office of Environmental Information \n\n                                     Corrective Action Plan \n\n                                          As of 07/11/12\n\n\nAuditing Group: OIG              Audit Title: Draft Report \xe2\x80\x93 EPA\xe2\x80\x99s Office of Environemtnal\nAudit No.: OMS-FY11-0007         Information Should Improve Ariel Rios and Potomac Yard\n                                 Computer Rooms Security Controls\nReport Date: May 31, 2012        OEI Lead and Phone: James Freeman 703-305-8186\nOEI Lead Office: OTOP/EDSD\n\nRecommendation          OIG Revised       Corrective        Planned         Status / Actions\n                      Recommendations      Action          Completion           Taken\n                                                              Date\n1. Develop and                          Completed                        Memorandum title:\nimplement                               Policies and                     Request for Access to\ncomputer room                           procedures are                   Secure Areas (Data\npolicies and                            currently in                     Center/LAN closet)\nprocedures that                         place to ensure                  creation date June\nensure that                             that computer                    8,2011\ncomputer room                           room access is\naccess is only                          only granted to\ngranted to                              employees with\nemployees with                          authorization\nauthorization and                       and that visitor\nthat visitor access                     access is\nis approved,                            approved,\ndocumented, and                         documented\nreviewed.                               and reviewed.\n\n\n2. Acquire and                          Concur As part Dec. 31,          POAM\xe2\x80\x99s will be\nimplement an                            of the Federal   2012            created in ASSERT to\nuninterruptible                         Government\xe2\x80\x99s                     track the installation\npower supply that                       data                             of the new power\nwill automatically                      consolidation                    source for Potomac\nperform an                              initiative, the                  Yard and the Federal\norderly shutdown                        Ariel Rios                       Government data\nof IT assets                            computer room                    center consolidation\nwithout manual                          will be closed                   initiative that will\nintervention in the                     and the servers                  affect computer\nevent of a long-                        migrated to                      rooms at EPA\nterm loss of                            Potomac Yard.                    headquarters.\npower.                                  Efforts are\n                                        underway with\n                                        GSA to install a\n                                        backup\n                                        generator at the\n\n\n 12-P-0879                                                                                     8\n\x0cRecommendation            OIG Revised       Corrective       Planned     Status / Actions\n                        Recommendations      Action         Completion       Taken\n                                                               Date\n                                          Potomac Yard\n                                          facility. The\n                                          generator will\n                                          provide 24/7\n                                          backup power\n                                          to the computer\n                                          room and in the\n                                          event of a\n                                          prolonged\n                                          power outage,\n                                          sufficient\n                                          notification\n                                          would enable\n                                          an orderly\n                                          shutdown of IT\n                                          assets.\n\n3 Move the server                         Non-Concur\nracks so that they                        As part of the\nare not directly                          Federal\nunder sprinkler                           Government\xe2\x80\x99s\nheads or water                            data\npipes, or, if that is                     consolidation\nnot possible,                             initiative, the\ninstall leak shields                      Ariel Rios\non or above the                           computer room\nserver racks                              will be closed\ndirectly under                            and the servers\nsprinkler heads or                        migrated to\nwater pipes.                              Potomac Yard.\n                                          Water damage\n                                          cannot be\n                                          avoided if the\n                                          sprinkler\n                                          system is\n                                          activated and\n                                          operates per\n                                          specifications\n                                          (i.e. sprays\n                                          water).\n\n                                          Refer to\n                                          OARM -\n\n\n\n 12-P-0879                                                                                  9\n\x0cRecommendation          OIG Revised       Corrective        Planned       Status / Actions\n                      Recommendations      Action          Completion         Taken\n                                                              Date\n                                        OARM is\n                                        responsible for\n                                        the facility and\n                                        water\n                                        sprinklers.\n\n4. Install a master                     Non-Concur\nshutoff valve for                       Refer to\nthe water pipes                         OARM -\nthat flow through                       OARM is\nthe computer                            responsible for\nroom.                                   the facility,\n                                        water pipes and\n                                        shut off valves.\n\n\n5. Develop and                          Non-Concur                      EPA monitors\nimplement                               Monitoring of                   environmental\npolicies and                            environmental                   variable information\nprocedures that                         variable                        through HP Openview\naddress limiting                        information                     with e-mail and text\nwater damages to                        such as water,                  message notifications\nIT assets in the                        fire,                           to personnel in order\ncomputer room                           temperature,                    to address any\nthat include a) 24                      humidity,                       reported issues.\nhours/day, 7                            power, and\ndays/week                               smoke is part of\nmonitoring; and                         the current\n(2) timely actions                      standard\nto be taken in the                      procedures, is\nevent of a water                        monitored 24/7\nleak in the                             and issues are\ncomputer room.                          reported to an\n                                        identified group\n                                        by text message\n                                        and email.\n\n\n\n\n 12-P-0879                                                                                   10\n\x0c                                                                                Appendix B\n\n                                    Distribution\n\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nPrincipal Deputy Assistant Administrator for Environmental Information\n        and Senior Information Official\nDirector, Office of Technology Operations and Planning, Office of Environmental Information\nAgency Follow-Up Official (the CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nSenior Agency Information Security Officer, Office of Environmental Information\nAudit Follow-Up Coordinator, Office of Environmental Information\n\n\n\n\n12-P-0879                                                                                 11\n\x0c"